• State Not Answered
  • Replies 2 replies
  • Subscribers 583 subscribers
  • Views 91 views
  • Users 0 members are here
Options
Related

Development Environment Security Certificates being prepared for Production?

Kien Mac

Dear AVEVA,

I have a long time customer planning on upgrading to APS2023...
They have a Development environment with fixed IP's and PC names that are none Production. Once tested & validated, the IP's and PC names etc... are changed for deployment into Production.

The question is what is the implications/impacts of changes to PC IP Addresses & Names when they are changed to the authorisation of the certificates for the purpose of Central Deployment to the Production System?

My thoughts that the certificates should be fine for the configurator, but need to check.

Can you please help advise or provide more details on how Central Deployment/Configurator fit/don't fit with the authenticated machines?

Thanks.

Kind regards,
Kien

  • 0

    Hi  ,

    A certificate is bound with machine name not IP. So, you need to update the DNS list in the restored SCADA project matching the machine names in the production environment.

    Below are the list of key points around certificates and authentications and hope it would help.

    • Only one System Management Server is required in a Plant SCADA system
    • A domain user needs to be used to configure System Management Server
    • A self-signed certificate will be issued by SMS to a client node once the client is configured to connect to the SMS
    • A self-signed OPC UA server certificate will be issued and saved in the local store when PCS Runtime component is installed.
    • Deployment Server and SMS can be installed on the same machine or distributed on different machines
    • The same domain user should be used in configuration of deployment server and to authorize client registrations.
    • All server nodes need running in the service mode in order to access the certificate private key
    • SMS also play the role of token host. AIG or OPC UA users will be authenticated via this token service. It is noted that only domain users can be authenticated in a distributed system.